Amid Attacks, CEOs In The Dark About Cyber Security

There is always a lot of finger-pointing after a data breach. Who is to blame? Who didn't do their job? A recent survey finds that a distressingly large number of CEOs are not aware of what kind of security threats their organizations are dealing with.

When it comes to security, CEOs have no clue what is going on inside their organizations. So found a Ponemon Institute report released this week which examined how organizations prepared for, and responded to, security incidents. A whopping 80 percent of survey respondents said they did not "frequently communicate" with executive management about potential cyber-attacks threatening the organization. This extends beyond the CEO and encompasses the entire C-suite (CIO, CSO, COO, CTO, etc).

It was surprising that "the information is just not getting up to the C-suite," Mike Potts, president and CEO of Lancope, told Security Watch. "We talk about this stuff all the time," he added.

Companies are spending millions of dollars on security products and services and still getting breached, according to Lancope, who commissioned the study. In fact, Gartner said $67 billion was spent on IT security products globally in 2013. Yet $250 billion worth of intellectual property is stolen from companies each year. Where is the disconnect?

No Regular UpdatesMany executives may look at all the security spending and think, "I got all this stuff, I am done," Potts said. If they are not receiving regular updates and information about the organization's overall security posture, then there is no reason to revise that view. But that's not how it should be. "The current scenario is not 'set and forget,'" Potts said.

While the survey didn't ask why IT personnel weren't raising the issues with the C-suite, Potts suggested the issue may be related to how security is measured within the organization. Half of respondents said they had no metrics to measure the effectiveness of their incident response capabilities. This means they are unable to translate the threats and problems into language the senior executives—concerned about the overall business—can understand or work with.

It's also very likely that even if the discussions about security happened, that executives were receiving a very "watered down" version of the problems, Potts said.

"Now is the time for C-level executives and IT decision-makers to come together and develop stronger, more comprehensive plans for incident response. This communication is critical if we want to reduce the astounding frequency of high-profile data breaches and damaging corporate losses we are seeing in the media on a near-daily basis," Potts said.

Money MattersPart of the problem is an investment issue. Half of the respondents in the survey said less than 10 percent of their overall security budget is earmarked for incident response, and despite the growing pace of attacks and threats, most said they have not increased that allocation in the past two years.

It makes sense. If the C-level executives don't realize what the risks and threats are, then they won't prioritize the budget. If the executives know the potential loss or damage is going to be fairly large, then they can act accordingly to close that gap. Executives need to "have the right information to make the right investments," Potts said.

Need to ChangeAbout 68 percent of respondents said their organizations had experienced a data breach or some other security incident in the past two years. Of that group, almost half, or 46 percent, of the respondents said another incident was "imminent" and could happen within the next six months. This is serious, and clearly, the C-suite should be concerned and working with IT to make sure necessary steps are being taken, right?

Not according to the survey, because the majority of the 674 IT and security professionals in the survey claimed they were not escalating these issues or letting the senior executives know what was looming. Makes you wonder just how much the Target CEO knew before he was thrust into the national spotlight and asked to discuss the breach, doesn't it?

Potts was hopeful that the data breach at Target and other retailers would act as a wake-up call for others. Maybe Target will change how organizations communicate, and "make it easy to tell the C-suite about security problems," Potts said.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »